International Journal of Applied Information Systems (IJAIS) – ISSN : 2249-0868 Foundation of Computer Science FCS, New York, USA Volume 2– No.6, May 2012 – www.ijais.org Detecting HTTP Botnet using Artificial Immune System (AIS) Amit Kumar Tyagi Sadique Nayeem Department of Computer Science, Department of Computer Science School of Engineering and Technology, School of Engineering and Technology, Pondicherry University, Puducherry-605014, INDIA Pondicherry University, Puducherry-605014, INDIA ABSTRACT „Bot‟ is nothing but a derived term from “ro-Bot” [40] which is Today‟s various malicious programs are “installed” on a generic term used to describe a script or sets of scripts machines all around the world, without any permission of the designed to perform predefined function in automated fashion. users, and transform these machines into Bots, i.e., hosts Botnet is a collection of compromised Internet hosts (thousands completely under to control of the attackers. Botnet is a of Bots) that have been installed with remote control software collection of compromised Internet hosts (thousands of Bots) developed by malicious users to maximize the profit from that have been installed with remote control software developed performing illegal activities on online network. After the Bot by malicious users to maximize the profit performing illegal code has been installed into the compromised computers, activities like DDoS, Spamming, and Phishing etc attack on following services are provided by Bots to its Botmaster: online network. Moreover various types of Command and Robust network connectivity Control(C&C) infrastructure based Botnets are existing today Individual encryption and control traffic dispersion e.g. IRC, P2P, HTTP Botnet. Among these Botnet, HTTP Limited Botnet exposure by each Bot Botnet has been a group of Bots that perform similar Easy monitoring and recovery by its Botmaster communication and malicious activity patterns within the same Generally the terms BotHerder and Botmaster are used Botnet through GET and POST message. Generally the interchangeably in this paper [12]. Bots usually distribute evolution to HTTP began with advances in “exploit kits” e.g., themselves across the Internet to perform attack by looking for Zeus Botnet, SpyEye Botnet, Black Energy Botnet but in later vulnerable and unprotected computers. When Bots find an due to protocol changing; Communication encryption; unprotected computer, they infect it without the knowledge of intermittent communications; Botnet subgrouping Source users and then send a report to the Botmaster [7]. The Bot stay concealment, and firewall friendly of Botnet, HTTP Botnet is hidden until they are informed by their Botmaster to perform an the most interest of the research community. In this paper, we attack or any task to harm online users. Other ways in which proposed a new general HTTP Botnet detection framework for attackers use to infect a computer in the Internet with Bot real time network using Artificial Immune System (AIS). includes sending email and using malicious websites. Based on Generally AIS is a new bio-inspired model which applies to our understanding, we could say that the activities associated solving various problems in information security; we used this with Botnet can be classified into three parts concept in our proposed framework to make it more efficient in [38, 39]: detection of HTTP Botnet. Hence finally in this paper, we used 1. Searching – searching for vulnerable and unprotected AIS to detect effectively malicious activities such as spam and Computers. port scanning in Bot infected hosts to detect these malicious 2. Distribution – the Bot code is distributed to the computers exploits kit from a computer system. Our experimental (targets), so the targets become Bots. evaluations show that our approach can detects HTTP Botnet 3. Sign-on – the Bots connect to Botmaster and become ready to activities successfully with high efficiency and low false receive C &C traffic. positive rate. Here in this paper we have to propose a framework to detect HTTP Bot infect network. The difference among proposed Keywords framework and proposed by Hossein et al. in [7, 41] with using Botnet; Bot; AIS; Spam; Scan; HTTP Bot of AIS to detect IRC/P2P Botnet is that our approach does not require prior knowledge of Botnets such as Botnet signature and other details about Botnets. AIS is related to a genetic term, 1. INTRODUCTION defined as “Adaptive systems, inspired by theoretical As the technology growing hackers are also using the latest immunology and observed immune functions, principals and technology for malicious purposes. Technology changed from models, which are applied to problem solving.” akin to other traditional virus to Botnet and Root kits. Very recently, bio-inspired model such as genetic algorithms, neural networks, Botmasters have begun to exploit cyber crime [7]. Nowadays, evolutionary algorithms and swarm intelligence [40]. AIS is the most serious manifestation of advanced malware on cyber inspired from human immune system (HIS) which is a system security is Botnet to perform attack. “Cyber Security embraces of structures in human body that recognizes the foreign the protection of Both private and public sector interest in cyber pathogens and cells from human body cells and protect the body space and their dependency on digital networks and also the against those diseases [8]. Like HIS which protects the human protection of exploitation of opportunities – commercial or body against the foreign pathogens, the AIS suggest special public policy – that cyber space offers [15].” feature, a multilayered protection structure [13] for protecting To make distinction between Botnet and other kinds of malware the computer networks against the attacks performed on is C&C infrastructure [6, 7]. To understand about Botnet, we internet. Consequently it has been focused by network security have to know two terms first, Bot and Botmaster. The term researchers to use and optimize it in IDS. In this work we have 38 International Journal of Applied Information Systems (IJAIS) – ISSN : 2249-0868 Foundation of Computer Science FCS, New York, USA Volume 2– No.6, May 2012 – www.ijais.org used AIS techniques to detect effectively the malicious in this mechanism the new antibody can bind not only to activities, such as spamming and port scanning in the detection harmful antigens but also to essential self cells [37]. To help process of HTTP Bot infected network. prevent serious damage to self cells, the biological immune Hence at last, rest of the paper is organized as follows: in system employs negative selection, which eliminates immature section 2, we describe the related work. Section 3 defines about antibodies that bind to self cells [7]. Only antibodies that do not AIS as introduction. Communication mechanism of HTTP bind to any self cell are propagated [13]. Negative selection Botnet is explained in section 4. Existing solution to detect algorithms have proven to be very good at differentiating HTTP Botnet infect network is defined in section 5. In section among self (normal) and non-self (abnormal), and have, 6, we describe our proposed detection framework to detect therefore, been used to address several anomaly detection HTTP Botnet and finally conclude this paper in section 7. problems [12, 18]. A typical negative selection algorithm [8] begins by randomly generating a set of pattern detectors. Here if 2. RELATED WORK the pattern matches self samples, it is rejected otherwise it is As discussed, Bots and Botnets are hot topics for last few years included in the set of new detectors [17]. This process continues until enough detectors are created. The created detectors are due to measuring the large number of attacks through cyber then used to distinguish among self and non-self samples in new crime to rob valuable data of users [6]. So between them HTTP data. So by distinguish self and non self samples, we distinguish Botnet is a dangerous activity to perform an attack and infected the behavior of user active on internet as online. Through which systems behalf of users. Now a day‟s, HTTP Botnet is one step we detect HTTP Bot because AIS provides a multilayered forward from defenders and use strongest types of methods, protection mechanism to discriminate between the malicious technology (strong cryptography) to perform attacks. For e.g. and safe activities. Asprox affect 3.5 billion computers in US only. To make distinction between Botnet and other kinds of malware is C&C 4. COMMUNICATION MECHANISM infrastructure. So Botnet used to avoid service failure of C&C server when it goes offline to use advanced hydra fast-flux Generally the evolution to HTTP began with advances in service network to providing high availability of the malicious “exploit kits” e.g. Zeus Botnet, SpyEye Botnet. These kits, content e.g. Mariposa Botnet use its own protocol (Iserdo developed mainly by Russian cybercriminals, include Mpack, transport protocol and UDP protocol) to perform any activity ICEPack, and Fiesta. HTTP protocol is widely spread protocol over the Internet and most of the networks allow traffic on port and use connectionless service. On other side of HTTP Bot‟s 80[21]. HTTP protocol based Botnet use C&C infrastructure to special feature they are firewall friendly, and use a C&C server communicate between Bot and its Botmaster e.g. Asprox Botnet approach to perform an attack and changing the environment or is based on echo based Botnet. In echo based type, Bot IP address during attack [15, 21]. Botmaster try to keep their announce their existence to the C&C by sending out a full URL Botnet invisible and portable by using DDNS (dynamic domain (Uniform Resource Locator) to the web server. Generally HTTP name system) which is a resolution service that eases frequent protocol ensures existence of the Bot to the C &C server to perform any activity on cyber. The Bot replays the forum.php updates and change in server location [11].